smartnode icon indicating copy to clipboard operation
smartnode copied to clipboard
verified publisher icon rocket-pool

Add support for CLI update command

Open aliask opened this issue 2 years ago • 4 comments

As requested by Phiz in #268, I have added support for a rocketpool update cli command which will:

  • check what the latest version is via the Github API
  • compare with local version, and download it if it's newer
  • verify the PGP signature of the downloaded binary
  • replace existing client if all the above goes well

There are some assumptions regarding the filenames in the release but these appear to be reasonably widely referenced already.

Optional flags included for this command:

  • --force will attempt to update, even if Github version is same/older
  • --skip-signature-verification will prevent any checks against the PGP signature
  • --yes will automatically confirm the update

aliask avatar Feb 12 '23 04:02 aliask

Seems great. I tested the various flags and it seems to be working as expected.

There's just these two issues from golangci-lint:

update/update.go:135:14: Error return value of `output.Seek` is not checked (errcheck)
                output.Seek(0, io.SeekStart)
                           ^
update/update.go:16:2: SA1019: "golang.org/x/crypto/openpgp" is deprecated: this package is unmaintained except for security fixes. New applications should consider a more focused, modern alternative to OpenPGP for their specific task. If you are required to interoperate with OpenPGP systems and need a maintained package, consider a community fork. See https://golang.org/issue/44226. (staticcheck)
        "golang.org/x/crypto/openpgp"
        ^

Not critical things, but I think probably good to have a look at.

angaz avatar Feb 23 '23 09:02 angaz

I've added a check for the Seek(), but the openpgp deprecation is a tricky one. I couldn't find any third party libraries offering a drop-in functionality, but I'm not sure it's really that critical:

  • Despite being officially deprecated, it appears to still be being updated - the last release was only a couple of weeks ago
  • Other major projects are still depending on it, including geth

aliask avatar Feb 24 '23 22:02 aliask

I've added a check for the Seek(), but the openpgp deprecation is a tricky one. I couldn't find any third party libraries offering a drop-in functionality, but I'm not sure it's really that critical:

* Despite being _officially_ deprecated, it appears to still be being updated - the last release was only a couple of weeks ago

* Other major projects are still depending on it, including [geth](https://github.com/ethereum/go-ethereum/blob/master/.golangci.yml#L53)

Looks good. Yeah I think it will be fine and we can replace the library if there's any CVEs. I'm pretty sure it will be perfectly fine.

angaz avatar Feb 24 '23 23:02 angaz

I rate it's good to go. :rocket:

angaz avatar Feb 24 '23 23:02 angaz